teldra
/
vp-build
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

matio: CVE-2019-20020 patch 

Signed-off-by: Nathan Owens <ndowens04@gmail.com>
This commit is contained in:
Nathan Owens 2019-12-28 18:27:42 -06:00 committed by Juan RP
parent 3968670e42
commit 62307abae4
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
srcpkgs/matio/patches/CVE-2019-20020.patch Normal file
View File

@ -0,0 +1,45 @@
From 8138e767bf6df7cccf1664f3a854e596628fdb2d Mon Sep 17 00:00:00 2001
From: Nathan Owens <ndowens04@gmail.com>
Date: Sat, 28 Dec 2019 18:25:58 -0600
Subject: [PATCH] matio: CVE-2019-20020 patch
Signed-off-by: Nathan Owens <ndowens04@gmail.com>
---
src/mat5.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/mat5.c b/src/mat5.c
index abdb351..776f233 100644
--- src/mat5.c
+++ src/mat5.c
@@ -980,10 +980,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
/* Rank and Dimension */
if ( uncomp_buf[0] == MAT_T_INT32 ) {
int j;
+ size_t size;
cells[i]->rank = uncomp_buf[1];
nbytes -= cells[i]->rank;
cells[i]->rank /= 4;
- cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
+ if ( 0 == do_clean && cells[i]->rank > 13 ) {
+ int rank = cells[i]->rank;
+ cells[i]->rank = 0;
+ Mat_Critical("%d is not a valid rank", rank);
+ continue;
+ }
+ err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
+ if ( err ) {
+ if ( do_clean )
+ free(dims);
+ Mat_VarFree(cells[i]);
+ cells[i] = NULL;
+ Mat_Critical("Integer multiplication overflow");
+ continue;
+ }
+ cells[i]->dims = (size_t*)malloc(size);
if ( mat->byteswap ) {
for ( j = 0; j < cells[i]->rank; j++ )
cells[i]->dims[j] = Mat_uint32Swap(dims + j);
--
2.24.1

2
srcpkgs/matio/template
View File

@ -1,7 +1,7 @@
# Template file for 'matio'
pkgname=matio
version=1.5.17
revision=1
revision=2
build_style=gnu-configure
configure_args="--disable-static"
hostmakedepends="libtool"